Pritunl: Setting up an open-source VPN server
Every team eventually needs a VPN — for security, for remote work, for poking at internal-only services. There are plenty of options out there. The most common commercial pick is OpenVPN Access Server, but the free tier caps at 2 concurrent users. Pritunl is open source, uses OpenVPN under the hood, ships built-in 2FA, and supports WireGuard as a bonus. This post walks through the install and the initial setup. I'm using Ubuntu 20.04, but the same flow works on other distros.
Install
1. Add the MongoDB apt repo
Pritunl uses MongoDB for storage.
sudo wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list2. Add the Pritunl apt repo
sudo tee /etc/apt/sources.list.d/pritunl.list << EOFdeb http://repo.pritunl.com/stable/apt focal mainEOFTrust the repo key:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A3. Refresh apt
sudo apt update4. WireGuard support (optional but recommended)
Modern WireGuard support is in mainline Linux now. Pritunl uses OpenVPN by default, but with WireGuard installed you can offer both protocols.
sudo apt -y install wireguard wireguard-tools5. Install Pritunl and MongoDB
sudo apt -y install pritunl mongodb-org=4.4.11 mongodb-org-server=4.4.11 mongodb-org-shell=4.4.11 mongodb-org-mongos=4.4.11 mongodb-org-tools=4.4.116. Enable and start the services
sudo systemctl enable mongod pritunlsudo systemctl start mongod pritunlThat's the install. On to configuration.
Initial configuration
Browse to https://<server_ip> (note: HTTPS — Pritunl uses a self-signed cert until you point a domain at it).
Get the setup key from the server:
sudo pritunl setup-keySample:
cc8159d00b7b45eea655ed53fe2ba0cePaste it into the Setup Key field in the UI. If MongoDB is on the same host (it is in this guide), leave the MongoDB URI as the default.
Next you'll see the login page. Grab the default admin credentials from the server:
sudo pritunl default-passwordSample:
root@pritunl:~# sudo pritunl default-password[undefined][2022-06-08 21:46:55,677][INFO] Getting default administrator passwordAdministrator default password: username: "pritunl" password: "sFBS1w9APytX"Once logged in you'll land on the initial settings — port, domain, etc. If you have a domain, set it here. With a valid domain Pritunl will pull a free Let's Encrypt cert and renew it automatically.
Servers, organizations, users
Pritunl's hierarchy: Server > Organizations > Users. Start by creating a server: Servers → Add Server.
A few options worth calling out:
- Enable Google Authenticator — turns on 2FA. Leave on unless you have a specific reason.
- Allow Multiple Devices — lets the same user connect from more than one device at once. Without this, a new connection kicks the old one off.
Once the server is created, the default 0.0.0.0/0 route is added. That's "send all traffic through the VPN" (full tunnel). If you want a split tunnel instead — clients use their own internet but can still reach private subnets via the VPN — remove the 0.0.0.0/0 route and add only the subnets you want to expose.
Now create an organization (Users → Add Organization) and a user under it (Users → Add User).
Pick a username and the org, then set a PIN.
Attach the organization to the server (Servers → Attach Organization).
You're done. From the Users page, copy the user's profile link.
The user uses that URL to set their PIN, grab a 2FA QR code, and download the right Pritunl client for their OS. The link is good for 24 hours — once the user has set up their client, they can hit Delete Temporary Profile Link to revoke it.
Pritunl is a solid open-source pick — between built-in 2FA, automatic Let's Encrypt, and OpenVPN/WireGuard support, there isn't much else you need.